Cannot log in to vCenter Server using the domain username/password credentials via the vSphere Web Client/vSphere Client after upgrading to vCenter Server 5.1 Update 1
Article ID: 305658
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
- After upgrading to vCenter Server 5.1 Update 1, you are unable to log in using the vSphere Web Client or domain username/password credentials via the vSphere Client.
- The imsTrace.log file (located at VC Installation Directory\SSOServer\logs\ imsTrace.log) contains entries similar to:
LDAP Parallel Search Thread-15], (GroupAccessSQL.java:1775), trace.com.rsa.ims.admin.dal.sql.GroupAccessSQL, DEBUG, host.domain.com,,,,SELECT GROUP_ID FROM IMS_PRINCIPAL_GROUP WHERE PRINCIPAL_ID = ?
castle-exec-11], (SecurityTokenServiceImpl.java:117), trace.com.rsa.riat.sts.impl.SecurityTokenServiceImpl, ERROR, host.domain.com,,,,Error while trying to generate RequestSecurityTokenResponse
com.rsa.common.UnexpectedDataStoreException: Failed group search, unexpected interrupt
at com.rsa.ims.admin.usa.ldap.GroupAccessLDAP.getPrincipalGroupsFromFSP(GroupAccessLDAP.java:1338)
at com.rsa.ims.admin.usa.ldap.GroupAccessLDAP.getMemberOfGroupsInBatchForAD(GroupAccessLDAP.java:1273)
- When logging into the vSphere Web Client, you see the error:
The authentication server returned an unexpected error:
ns0:RequestFailed: Internal Error while creating SAML 2.0 Token. The error may be caused by a malfunctioning identity source.
- The vpxd logs contain entries similar to:
T17:45:46.416+02:00 [05076 info '[SSO]' opID=E66B0971-00000004-e8] [UserDirectorySso] Authenticate(DOMAIN\user, "not shown")
T17:45:47.617+02:00 [05076 error '[SSO]' opID=E66B0971-00000004-e8] [UserDirectorySso] AcquireToken SsoException: Unexpected SOAP fault: ns0:RequestFailed; request failed.
T17:45:47.617+02:00 [05076 error 'authvpxdUser' opID=E66B0971-00000004-e8] Failed to authenticate user DOMAIN\username
Note: vpxd logs are located in %ALLUSERSPROFILE%\Application Data\VMware\VMware VirtualCenter\Logs, which translates to:
- C:\Documents and Settings\All Users\Application Data\VMware\VirtualCenter\logs in Windows 2003
- C:\ProgramData\VMware\VMware VirtualCenter\Logs in Windows 2008
- Logging in using the Use Windows session credentials option via the vSphere Client is successful.
Environment
VMware vCenter Server 5.1.x
Cause
This issue can occur if the specified vCenter Server login domain user account is associated with a large number of domain groups and multiple domains are configured as Single Sign-On (SSO) identity sources. The precise number of groups at which this issue can occur varies due to the nature of Active Directory internals. However, it is more likely to occur once domain-group membership for an account exceeds 19.
Resolution
This issue is resolved in vCenter Server 5.1 Update 1b. You can download the latest release from the VMware Download Center. For more information, see the vCenter Server 5.1 Update 1b Release Notes.
Note: All components of vSphere 5.1 must be updated to 5.1 Update 1b for this issue to be fully resolved.
For more information on the resolution, see Logging into vCenter Server using the vSphere Client with vCenter Single Sign-On (SSO) in a multi-domain environment fails (2037410).
Note: All components of vSphere 5.1 must be updated to 5.1 Update 1b for this issue to be fully resolved.
For more information on the resolution, see Logging into vCenter Server using the vSphere Client with vCenter Single Sign-On (SSO) in a multi-domain environment fails (2037410).
Additional Information
Before attempting to upgrade to vCenter Server 5.1.0 U1b, see the readme file to learn about factors critical to a successful upgrade.
For more information, see Upgrading to vCenter Server 5.1 in the vSphere Upgrade Guide.
Logging into vCenter Server using the vSphere Client with vCenter Single Sign-On in a multi-domain environment failsvCenter Server 5.1 Update 1 にアップグレード後、vSphere Web Client または vSphere Client でドメイン ユーザー名/パスワードの認証情報を使用して vCenter Server にログインできない
在升级到 vCenter Server 5.1 Update 1 之后,无法使用域用户名/密码凭据通过 vSphere Web Client/vSphere Client 登录到 vCenter Server
Feedback
Yes
No
Powered by
